I don't know how to get TLS to work, but you should be able to do SSL by specifying that the LDAP port to use is 669 (LDAPs) in your radius.conf. I'm, however, having a similar problem in that I am unable to get it to work because of a complaint about a self-signed certificate. If you have any ideas on how to rectify that one, I'd appreciate it. I've posted my question to the list twice and have received zero response.
Owen
--On Wednesday, June 18, 2003 12:32 PM +0200 "Francisco Orozco/Upcnet" <[EMAIL PROTECTED]> wrote:
Hello to all,
I've been using FreeRadius for a year, but now I'd like to implement RADIUS with LDAP authentication, I've test it and It works great.
Now I'd like to protect radius - ldap server comunication using TLS. But I'm not able to do it.
My LDAP server is Notes Domino and I've been able to configure it correctly. I can connect to it using LDAP SSL/TLS, but I don't know how to implement this in FreeRadius.
I'm using freeradius-0.8.1 and this is my radiusd.conf
Can you help me?
When I try i view this log:
rad_recv: Access-Request packet from host 127.0.0.1:32792, id=101, length=60 User-Name = "test" User-Password = "1234567890" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 rad_lowerpair: User-Name now 'test' rad_lowerpair: User-Password now '1234567890' modcall: entering group authorize rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'o=Prova' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.server.mycompany.es:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Protocol error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail modcall: group authorize returns fail There was no response configured: rejecting request 0 Server rejecting request 0. Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 101 to 127.0.0.1:32792 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 101 with timestamp 3ef0694c Nothing to do. Sleeping until we see a request.
______________________________________ Paco Orozco ([EMAIL PROTECTED]) Divisi� de Telecomunicacions UPCNet Edifici V�rtex - Pl. Eusebi G�ell, 6 Tel�fon centraleta: 93.40.11600
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
